Techjoomla Forum

  1. Jari Martikainen
  2. Joomla REST API
  3. Saturday, 31 March 2018
I recently added the REST API to my dev site and I was wondering if there is a reason for the users plugin to spit out the password hash?


index.php?option=com_api&app=users&resource=users&id={user_id}
will output the password hash from the user object since it is not unset on line 363 in plugins/api/users/user/users.php:

// If we have an id try to fetch the user
if ($id = $input->get('id'))
{
$user = JUser::getInstance($id);
if (!$user->id)
{
$this->plugin->setResponse($this->getErrorResponse(JText::_( 'PLG_API_USERS_USER_NOT_FOUND_MESSAGE' )));

return;
}
// Returns password hash unless unset below.
unset($user->password);
$this->plugin->setResponse($user);
}
else
{
$model = new UsersModelUsers;
$users = $model->getItems();

foreach ($users as $k => $v)
{
unset($users[$k]->password);
}

$this->plugin->setResponse($users);
}
You do not have permission to view the content of this accepted answer and replies.